“It hurts”: The 2015 Bundestag cyber-attack reveals deficiencies in German cyber defense

“I can honestly say that it hurts me” – said German chancellor Angela Merkel when being ask how she feels about her agencies attributing the 2015 attack on the German parliament “Bundestag” to Russia. “On the one hand, I try to improve relations with Russia on a daily basis, and when then, on the other hand, we see that there is hard evidence that Russian forces are operating in such a way” (Burchard, 2005). Issuing an international arrest warrant against a Russian hacker working for Moscow’s military intelligence service in May 2020, the federal persecutors’ office has also taken a clear stance on attributing one of the most severe cyber-attacks in Germany – a task usually considered most challenging when scrutinizing cyber-incidents. With attribution being difficult, the execution of the attack on the “Bundestag” seemed rather simple and revealed deficiencies in German cyber defense – “it hurts”.

In the following, this paper will briefly describe the attack in spring 2015 with reference to the technologies involved, scrutinize the operational objective and the question of attribution, and finally formulate policy recommendations to mitigate an attack in the future.

Intrusion & Persistence. Despite competing reports around the exact date, the attackers gained initial access to the Bundestag network in late April or early May 2015 with spear-phishing emails from a “un.org” address (Beuth, Biermann, Klingst, & Start, 2017) and/or a drive-by compromise through a watering hole attack (Feilner & Kleinert, 2016). While spear-phishing focusses on forging emails from usually trustworthy senders and “socially engineering” targets to klick on links to download malicious content or give away their credentials (ATT&CK, 2020b); a watering hole attack seeks the same goal – a target to click on a link – yet by spying on regular website visits and manipulating these frequented websites, e.g. with malicious banners or ads (ATT&CK, 2018b). Possibly by exploiting a loophole in a broken multimedia extension of a browser plugin (Feilner & Kleinert, 2016), the attackers infiltrated accounts of members of parliament (MP) from “Die Linke” (The Left). Then the attackers loaded several programs to secure their “foot in the door” and expanded the intrusion.

Credential Access. Combining the open-source “mimikatz” tool to scratch Windows logins and password (ATT&CK, 2020a) with a pass-the-hash that exploits Windows single sign-on features when passing the hashed password (instead of clear text) to log in (ATT&CK, 2020c), the attackers acquired admin credentials and entered the networks Active Directory – a Windows’ networks core that creates and manages accounts, users and objects (Christensson, 2017). Now, the attackers could freely move in the network, download more programs, such as a keylogger and screenshot programs (BSI, 2015), and extract data to external servers – all of this, without being noticed until May 12, 2015.

Collection, Exfiltration & Defense. Despite suspicion reports of Bundestag employees around May 8, the parliament’s IT department needed German domestic intelligence to point out strange data flows to external servers from the parliament’s network on May 12 to start taking counter-measures. In the meanwhile, approximately 16 gigabyte of confidential documents had been extracted to a server registered by the French OHV hosting company and hosted by a hosting company called “CrookServers[.]com” in Pakistan (BSI, 2015). Starting on May 16, 2015, the Federal Office for Information Security (“Bundesamt für Sicherheit in der Informationstechnik”, BSI) supported the overwhelmed IT department of the Bundestag to neutralize the attackers (Beuth et al., 2017). First by trying to channel the Bundestag network through the “IVBB”, the higher secured network of the German federal ministries that the Bundestag is not part of, later by completely shutting down the Bundestag network, the BSI claimed in its final report on the attack to have removed all attackers by the end of May 2015 (BSI, 2015).

Core tools. At the core of the attack were two artifacts analyzed in an independent report by the Italian cyber specialist Claudio Guarnieri on behalf of “Die Linke” (Guarnieri, 2015). The first artifact, called “Winexesvc.exe”, was found on a file server of “Die Linke” and it works a remote command tool to instruct a Windows server from a Linux host. It is a derivative of the open source utility “Winexe” and is now ranked 42 out of 70 on VirusTotal[1] under the label “FancyBear.GermanParliament” – a reference to the attributed attacker group “Sofacy”, also known as “Fancy Bear”. The second artifact, called “svchost.exe.exe” is a “custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.” (Guarnieri, 2015, p. 4). It was retrieved from an admin controller of “Die Linke” and resembles the malware “XTunnel” in functionality and design (ATT&CK, 2020d). In his analysis, Guarnieri found the hardcoded IP address “176.31.112.10” in the software that confirmed reports of German authorities on a command and control (C&C) server with links to Pakistan.[2] Today, “svchost.exe.exe” received a VirusTotal score of 52 out of 73[3], labelled as Trojan malware.

Attribution. The discovered IP address provides the strongest link to the presumed attackers – the hacker group “Sofacy Group”, also known as “Fancy Bear”, “APT28” or “Operation Pawn Storm”. Analyzing the C&C server behind the IP address, German authorities and Guarnieri concurrently found a shared SSL certificate with another IP address that has been used in phishing attacks against the Ukrainian and Albanian government. The latter attack was successfully attributed to Sofacy Group in late 2014 where the attacks tried to phish government data by “typosquatting”[4] Albanian government domains (pwc, 2014). Sofacy Group, under their alias “Operation Pawn Storm”, has been characterized by TrendMicro in 2014 as using “a mix of spear-phishing emails and specially crafted webmail service phishing websites to gain access to victims’ inboxes in hopes of getting better footholds inside target organizations. So as not to raise suspicion, the attackers used well-known events and conferences as social engineering bait” (TrendMicro, 2014, p. 16). Despite direct links to Russia found in the forensics of the 2015 Bundestag attack, a 2014 report of US cybersecurity company FireEye provides strong evidence that Sofacy is operated out of, if not by, Russia. Sofacy employs sophisticated tools for attacks at least since 2007, has targeted several countries in the (geo)political interest sphere of the Russian federation, such as Georgia, Eastern Europe or NATO, and is held accountable for leaking the internal emails of the Democratic party and damaging the reputation of presidential candidate Hillary Clinton (FireEye, 2014; TrendMicro, 2015).

Operational objectives. Reverse-engineering the attackers’ operational objectives from its effective targets, the perpetrators extracted PDF files, MS office documents and email communication of MPs involved with intelligence and Russian affairs (Beuth et al., 2017; Feilner & Kleinert, 2016; Guarnieri, 2015). Among the affected MPs was German Chancellor Angela Merkel, though only compromising documents from her role as MP, not as Chancellor, as well as two members of the “Vertrauensgremium” (Trust committee), an exclusive circle of MPs overseeing projects and budgets of German intelligence agencies. Indicating an even stronger Russian motivation are the exploits of the offices of Martin Rabanaus, who criticized the Crimean annexation in Ukraine only months before attack, and MPs from “Die Linke”. “Die Linke” is a leftist, long-time opposition party known for its moderate stance towards Russia. Cyber analysts argued that they might have fallen victim to the attack to better understand their position on Russia to support a pro-Russian course in the 2017 election (Beuth et al., 2017). In summary, the attack was clearly geared towards Germany with exploits scripts designed for German time and date formats (Guarnieri, 2015) and aimed for documents from members of parliament that were involved with intelligence or Russian affairs. Together with the technical evidence pointing towards Sofacy, there are significant pieces of evidence pointing towards a large-scale, government-approved attacks against the German parliament.

Improvements & recommendations. In the aftermath of the attack, several improvements have been implemented: To avoid phishing, the Bundestag network now prohibits executable programs other than previously whitelisted and requires two-factor authentication for logins to mitigate a “pass-the-hash” attack (IuK-Kommission, 2015). In addition, the exploited loophole in a browser plugin was instantly patched and the overall security architecture of the Bundestag network has been overhauled (Feilner & Kleinert, 2016). On the organizational level, one policy recommendation stands out: With a better threat intelligence and warning system, it is most likely that the 2015 Bundestag attack could have been prevented (or at least mitigated). On April 13, 2015 – 17 days before the presumed beginning of the attack – the French C&C server was red flagged by the government network, operating all ministries on the so-called “Oberste Netzebene” (highest network level) but not the German parliament (Biselli, 2016). In addition, BSI warned against Silver ticket attacks in January 2015 – just the technique that attackers employed to make their way to the active directory of the Bundestag network (Feilner & Kleinert, 2016). As seen most often, the success of attack can not be ascribed to the ingenuity of the attackers rather than the neglect of the defenders. So, to disincentivize attackers it remains imperative to improve defense capabilities by enhancing coordinated incident response management, threat intelligence and warning on, e.g., malicious servers or red-flagged exploit techniques.

It will hurt again. With issuing an arrest warrant, the German federal persecutors have closed investigations into the 2015 Bundestag attack – knowing that the warranted Russian hacker will never be arrest, let alone, face trial. While interest fades and history books start to imbibe the attack, questions of how to deal with cyber-attacks on the (geo)political level remain unanswered: How should Germany have retaliated for the intrusion of one of its most sacred constitutional organs? How can the protection of the nontangible cyberspace be prioritized? How can countries deter adversaries from shifting what would be outrageous in the analog world to cyberspace? Unfortunately, most of these questions will only be addressed when it hurts again.

This paper was submitted as final paper to the course "Basics of Cybersecurity" at Columbia University's School of International and Public Administration (SIPA), lectured by Prof Colin Ahern, Adjuct Professor at SIPA and Deputy Chief Information Security Officer for the City of New York, overseeing Security Sciences for NYC Cyber Command.

1. For SHA256 hash: 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d
2. This unconcealed IP address serves as a strong sign for the lack of interest of the attackers to cover their tracks, in particular as it would have been fairly easy to hide the C&C server as hidden service, either with or without TOR (Grooten, 2015).
3. For SHA256 hash: 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
4. „Typosquatting“ is a social engineering technique that tricks victims into trusting domain or email names that look similar at the first glance (“qov.al” instead of “gov.al” or “login.webmail-owa.org” instead of “login.webmail.owa.org”) (ATT&CK, 2018a).

LITERATURE

• ATT&CK. (2018a). Buy domain name, Technique T1328 - PRE-ATT&CK | MITRE ATT&CK®. Retrieved from https://attack.mitre.org/versions/v7/techniques/T1328/
• ATT&CK. (2018b). Drive-by Compromise, Technique T1189 - Enterprise | MITRE ATT&CK®. Retrieved from https://attack.mitre.org/techniques/T1189/
• ATT&CK. (2020a). Mimikatz, Software S0002 | MITRE ATT&CK®. Retrieved from https://attack.mitre.org/versions/v7/software/S0002/
• ATT&CK. (2020b). Phishing: Spearphishing Link, Sub-technique T1566.002 - Enterprise | MITRE ATT&CK®. Retrieved from https://attack.mitre.org/techniques/T1566/002/
• ATT&CK. (2020c). Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise | MITRE ATT&CK®. Retrieved October 17, 2020, from https://attack.mitre.org/versions/v7/techniques/T1550/002/
• ATT&CK. (2020d). XTunnel, Software S0117 | MITRE ATT&CK®. Retrieved from https://attack.mitre.org/versions/v7/software/S0117/
• Beuth, P., Biermann, K., Klingst, M., & Start, H. (2017, May 12). Cyberattack on the Bundestag: Merkel and the Fancy Bear | ZEIT ONLINE. Retrieved October 17, 2020, from https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia/komplettansicht
• Biselli, A. (2016). Wir veröffentlichen Dokumente zum Bundestagshack: Wie man die Abgeordneten im Unklaren ließ. Retrieved October 16, 2020, from https://netzpolitik.org/2016/wir-veroeffentlichen-dokumente-zum-bundestagshack-wie-man-die-abgeordneten-im-unklaren-liess/
• BSI. (2015). Informationen zum Cyberangriff auf den Bundestag – hier: Abschlussbericht BSI. Bonn. Retrieved from https://netzpolitik.org/2016/wir-veroeffentlichen-dokumente-zum-bundestagshack-wie-man-die-abgeordneten-im-unklaren-liess/#abschlussbericht_bsi_20151103
• Burchard, H. (2005). Merkel blames Russia for ‘outrageous’ cyberattack on German parliament – POLITICO. Politico.Eu. Retrieved from https://www.politico.eu/article/merkel-blames-russia-for-outrageous-cyber-attack-on-german-parliament/
• Christensson, P. (2017, July 13). Active Directory Definition. Retrieved October 17, 2020, from https://techterms.com/definition/active_directory
• Feilner, M., & Kleinert, J. (2016). Bundestag-Hack: Die Ursachen, der Ablauf und die Folgen. Retrieved October 17, 2020, from https://www.linux-magazin.de/ausgaben/2016/04/bundestags-it/
• FireEye. (2014). APT28: A window into Russia’s cyber security.
• Grooten, M. (2015). Virus Bulletin :: Vawtrak uses Tor2Web to connect to Tor hidden C&C servers. Retrieved October 16, 2020, from https://www.virusbulletin.com/blog/2015/06/vawtrak-uses-tor2web-connect-tor-hidden-c-amp-c-servers
• Guarnieri, C. (2015). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved from https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
• IuK-Kommission. (2015). Prüfung der Umsetzung weiterer Maßnahmen zur IT-Sicherheit Vorlage für die IuK-Kommission. Retrieved from https://netzpolitik.org/2016/wir-veroeffentlichen-dokumente-zum-bundestagshack-wie-man-die-abgeordneten-im-unklaren-liess/#beschlussempfehlung_iuk_20151030
• pwc. (2014). Cyber Threat Operations Tactical Intelligence Bulletin - Sofacy Phishing. Retrieved from http://threatexpert.com/reports.aspx?find=netids.dll
• TrendMicro. (2014). Operation Pawn Storm: Using Decoys to Evade Detection. Retrieved from https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf%0Apapers3://publication/uuid/4F7332D7-6329-4CC2-B5CF-D71712264D81
• TrendMicro. (2015). Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House - TrendLabs Security Intelligence Blog. Retrieved October 16, 2020, from https://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house/